- 11 Mar 2024
- 4 Minutes to read
- DarkLight
- PDF
Enabling Access for Trusted Devices
- Updated on 11 Mar 2024
- 4 Minutes to read
- DarkLight
- PDF
After you have established device trust and configured your threat and risk policies, you are ready to provide those "sanctioned and secured" devices with secure access to your company resources.
The Trusted Access solution calls for the use of Jamf Connect, Jamf's cloud-native Zero Trust Network Access product, to faciliate high-performance and user-friendly connectivity while delivering advanced network security capabilities for any SaaS, private cloud, or on-prem application.
You may also use partner integrations that utilize API signaling to indicate a given device's management and compliance state. These integrations only apply to a subset of applications, and may be used instead of or in addition to Jamf Connect depending on your requirements.
Jamf Connect should not be confused with other VPN and ZTNA products. While it does provide secure remote access to resources like a VPN, it uniquely enables Trusted Access in some very significant ways:
- It is cloud-native, utilizes next-generation Wireguard tunneling technology and adopts advanced identity integrations, which put together delivers a nearly invisible yet loved user experience.
- It is designed from the ground-up upon least privilege access principles, ensuring that authorized users can only access the data they need, not everything on the internal network.
- It integrates natively with Jamf management and security products to ensure only sanctioned and secure devices are able to access resources based upon your own risk-based policy definition.
As a result, use of a third-party VPN solution is unable to satisfy the requirements necessary to realize Trusted Access.
For macOS devices, you are able to further configure Partner Conditional Access via Jamf Pro to enable those partner services to allow or deny access based upon device compliance state (e.g. Smart Group membership).
Deploying Jamf Connect
By deploying Jamf Connect, you are creating a trusted and private network path between managed endpoints and all of your organization's applications.
You will need access to a Jamf Security Cloud (RADAR) account that is licensed for Jamf Connect to complete these steps.
If you do not have an account, please contact your Jamf Account team so they may spin up a free demo account up for you!
Follow these steps to get Jamf Connect up and running in your environment to establish fast and secure connectivity:
Review and understand the Jamf Connect Architecture, or watch this 20-minute JNUC'21 video introducing you to it.
Login to your Jamf Security Cloud account and link your identity provider to allow end users to activate Private Access via the Jamf Trust app using their corporate credentials.
Create an Activation Profile that configures the Network Access, Content Controls and Security service capabilities and utilizes your identity provider for authentication.
- Make sure you disable Identity-based Provisioning for your newly created activation profile. This will ensure only managed devices may activate using it.
- You may create other Activation Profiles that do use this feature to cover contractor devices or other devices that cannot be enrolled to MDM, but should only have very narrow access instead.
Define device groups that will be used to map users and their devices to specific apps they should (or should not) be able to access (e.g. "Executives", "Engineering", "Sales")
Configure integration with Jamf Pro.
- Configure group mapping to map Jamf Pro Smart Groups to the appropriate groups you defined above.
- (Optional) Definedevice field mappings as appropriate.
Establish secure access to your applications and data resources by configuring one or more private interconnect gateways between the Jamf Security Cloud and your data center(s) and private cloud(s).
Configure Custom DNS zone(s) if you use an internal domain name server or split-brain DNS to reach internal resources.
Configure Access Policies that define your organization's applications, their access policies, and reachability (either via the public internet or a configured private interconnect gateway).
- If the app you are defining contains sensitive data, be sure to limit access to only the groups that need to access in the Users and Groups tab, and define the maximum tolerable risk level in the Security tab of the access policy.
- Note: you can customize the severity of each threat category that determines a device's risk score using RADAR's security policy configuration.
Deploy Jamf Trust to Devices (the Jamf Connect endpoint agent) using Jamf Pro or other applicable device managment tools for your enrolled devices' platforms.
- For BYOD iOS/iPadOS devices, be sure to follow the specific "Deploy Jamf Trust" instructions in the User Enrollment article.
When Jamf Connect is properly deployed and configured, all enterprise application connectivity is encrypted to the Jamf Security Cloud and subject to access policies that have been defined.
For a techical under-the-hood explanation of how Private Access works, check out our Network Engineer's Guide to Private Access.
Partner Management State Integrations
While Jamf Connect is used to enable network-based connectivity and access control to any TCP or UDP application – including SaaS and private on-premise apps – it is possible to signal a device's management state and other metadata via integrations with select partners.
This allows the parter's platform to determine if a given device is managed by Jamf Pro and meets specific compliance requirements. It can also be used to signal the device's compliance state or risk level to drive Risk-based Access to company data. These signals are used to inform policies as defined in the partner's access platform.
Jamf's partner management integrations include:
- AWS Verified Access for macOS
- Device Compliance with Microsoft Entra and Jamf
- Google BeyondCorp Enterprise Integration with Jamf Pro
Enhancing Login Security and End User Experience
As the industry moves towards a password-less future, the foundations for more secure and seamless login capabilities are already here.
See Enhancing and Securing Logins to learn how to not only improve app login security, but dramatically improve user experience as well.
Restricting Access for Anonymous Devices
Upon implementing one or both of the above strategies to identify trusted devices, your next step is to configure applications to only allow connections from these "trusted" devices.
See Restricting Access for Anonymous Devices for details.